CVE-2021-33790
published 2021-05-31CVE-2021-33790: The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.84%
84.9th percentile
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| techreborn | reborncore | <= 3.13.8 | — |
| techreborn | reborncore | >= 3.19.0 < 3.19.5 | 3.19.5 |
| techreborn | reborncore | >= 4.2.0 < 4.2.10 | 4.2.10 |
| techreborn | reborncore | >= 4.7.0 < 4.7.3 | 4.7.3 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrmhttps://vuln.ryotak.me/advisories/45https://www.curseforge.com/minecraft/mc-mods/reborncorehttps://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrmhttps://vuln.ryotak.me/advisories/45https://www.curseforge.com/minecraft/mc-mods/reborncore
2021-05-31
Published